secure-os.org
ENFRESDEITPT
All guidesQubes OSTailsWhonixHardened LinuxDisk encryptionThreat model
phishing

How to Identify a Phishing Email: 7 Signs to Check (2026)

secure-os· Updated June 20, 2026· 6 min read #phishing#security#email#social-engineering#passwords
An open padlock resting on a laptop keyboard lit in red and green — a phished password leaves an account unlocked

A phishing email is a fake message built to look like it comes from someone you trust, so you’ll click a link, open an attachment, or type a password where the attacker can read it. The good news: most of them give themselves away if you know exactly what to look at. This is a practical, sign-by-sign checklist for identifying a phishing email before it costs you anything. (For the broader picture, see what phishing is.)

The mindset: slow down before you click

Phishing works on attention, not intelligence. The messages are engineered to make you act in the half-second before you think — a deadline, a threat, a too-good reward. The single most useful habit is simply to pause on any email that wants you to act immediately, then run through the signs below. None of them is proof on its own, but two or three together is a strong signal to stop.

1. The sender address doesn’t match the brand

The display name is trivial to fake. What’s harder to fake is the actual address behind it. Check the part after the @: a real message from a bank or service comes from its own domain (for example @yourbank.com), not a free mailbox like @gmail.com, not a look-alike (@yourbank-secure.com, @yourbank.support), and not a string of random characters. On mobile, tap the sender name to expand the full address — many phishing emails rely on you never doing that.

2. The greeting and tone feel off

Mass phishing is sent to huge lists, so it often opens with a generic greeting — “Dear Customer,” “Dear user,” or your email address instead of your name. A company you actually have an account with usually knows your name. (Targeted spear phishing can get this right, so a personal greeting isn’t a clean bill of health — it just removes one red flag.)

3. It manufactures urgency or fear

This is the engine of almost every phishing email: a reason you must act right now. “Your account will be suspended in 24 hours.” “Suspicious login — verify immediately.” “Your payment failed, update your details to avoid cancellation.” Legitimate organisations rarely threaten account closure by email on a countdown. Treat artificial time pressure as a warning sign in itself.

A person at a café using a laptop showing a messaging inbox while holding a smartphone in the other hand — checking who really sent a message, on both screens, before acting on it.

This is the tell that catches the most phishing. Hover your cursor over a link (on desktop) or press and hold it (on mobile) to preview the real destination before clicking. Watch for:

  • A visible text that says one thing while the real URL points somewhere else entirely.
  • A look-alike domain — extra words before the real one (paypal.com.secure-login.net), swapped characters (paypa1.com, rnicrosoft.com), or an unfamiliar country suffix.
  • Link shorteners that hide the final address.

When in doubt, don’t click the link at all. Open a new tab and type the site’s address yourself, or use your own bookmark, then log in there.

5. It pushes an unexpected attachment

A real invoice, parcel slip or “voicemail” you weren’t expecting is a classic phishing delivery method. Be especially wary of attachments that ask you to “enable content,” “enable macros,” or “enable editing” — that prompt exists to run code on your machine. Office documents, .html files and .zip archives from an unknown sender are high-risk. If you didn’t ask for it, don’t open it. (Attachments are also how a lot of malware gets in.)

6. It asks for credentials, codes or payment details

No legitimate service will email you and ask for your password, full card number, or two-factor code. Your bank will never need your login by reply. A message asking you to “confirm” these details — or to move money “to keep it safe” — is phishing until proven otherwise. The same goes for one-time codes: an attacker who already has your password just needs you to read them the code out loud.

7. The writing has small tells

Modern phishing can be polished, so this is the weakest signal — but it still helps. Watch for slightly awkward phrasing, inconsistent branding, logos that look stretched or low-resolution, mismatched footers, or an email that mixes formal and clumsy language. Any one of these alongside another red flag tips the balance toward “delete.”

A quick checklist

Before you click anything in an email that wants action, ask:

  1. Is the sender’s real address the brand’s own domain?
  2. Is it a generic greeting rather than my name?
  3. Is it pushing urgency or a threat?
  4. Where do the links actually point when I hover?
  5. Is there an unexpected attachment asking me to enable something?
  6. Is it asking for a password, code or payment detail?
  7. Are there odd phrasing, logos or footers?

Two or more “yes” answers means stop and verify through a channel you trust.

What to do when you spot one

  • Don’t click, reply, or open attachments. Replying confirms your address is live.
  • Verify out of band. If it claims to be your bank, call the number on your card — never a number from the message.
  • Report it, then delete. Most mail apps have a “Report phishing” button; reporting helps the provider block the campaign for others too.
  • If you already clicked or entered a password, change that password immediately on the real site, and on any other account that reused it.

Even a careful reader can be fooled by a perfect look-alike page. This is where a password manager quietly earns its keep. It ties every saved login to the exact real domain it belongs to — so on a phishing page hosted at a different address, it simply won’t offer to autofill your credentials. That silent non-fill is often the clearest signal that a “login page” is fake, and it stops you from typing your password into the wrong place.

And a second factor stops the stolen password

Identifying phishing is your first line of defense, but you’ll never be perfect — so build a backup. With two-factor authentication turned on, a password an attacker phishes out of you isn’t enough on its own to get in; they’d also need your second factor. App-based codes or a hardware key are stronger than SMS, which can itself be intercepted.

The honest takeaway

You don’t spot phishing with a single magic tell — you spot it by slowing down and running a short checklist: who really sent it, what it’s pressuring you to do, where its links go, and what it’s asking for. Get those habits right, then put a password manager and two-factor authentication behind them, and a convincing phishing email turns into a near-miss instead of a stolen account.